Sponsored by..

Showing posts with label Mongolia. Show all posts
Showing posts with label Mongolia. Show all posts

Wednesday, 28 November 2012

Changelog spam / ganadeion.ru

This fake changelog spam leads to malware at ganadeion.ru:


Date:      Wed, 28 Nov 2012 05:21:35 -0500
From:      LinkedIn Password [password@linkedin.com]
Subject:      Re: Changelog as promised (upd.)

Hello,

as prmised updated changelog - View

C. BERGMAN
The malicious payload is at [donotclick]ganadeion.ru:8080/forum/links/column.php hosted on some familiar looking IP addresses that you should block if you can:

202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
208.87.243.131 (Psychz Networks, US)

Tuesday, 27 November 2012

Wire transfer spam / gurmanikia.ru

This fake wire transfer spam leads to malware on gurmanikia.ru:

Date:      Tue, 27 Nov 2012 01:14:15 -0500
From:      Emerita Ayers via LinkedIn [member@linkedin.com]
Subject:      RE: Your Wire Transfer N27172774

Dear Customers,

Wire debit transfer was canceled.



Canceled transfer:

FED NUMBER: 6946432301WIRE298280

Transaction Report: View



Federal Reserve Wire Network
The malicious payload is at [donotclick]gurmanikia.ru:8080/forum/links/column.php hosted on the following well-known malicious IPs:

202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
208.87.243.131 (Psychz Networks, US)

"Copies of Policies" spam / ganiopatia.ru

This spam leads to malware on ganiopatia.ru:


Date:      Mon, 26 Nov 2012 02:31:10 -0500
From:      sales1@victimdomain.com
Subject:      RE: ALINA - Copies of Policies.

Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.

Here is the Package and Umbrella,
and a copy of the most recent schedule.

ALINA Prater,

==========


Date:      Mon, 26 Nov 2012 02:26:33 +0300
From:      ALISHIADBSukwQEf@aol.com
Subject:      RE: ALISHIA - Copies of Policies.

Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,

and a copy of the most recent schedule.

ALISHIA Gee,

==========

From: accounting@victimdomain.com
Sent: 26 November 2012 08:42
Subject: RE: MARCELLE - Copies of Policies.

Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,

and a copy of the most recent schedule.

MARCELLE SPENCE,

==========

From: accounting@victimdomain.com
Sent: 26 November 2012 07:54
Subject: RE: KASSIE - Copies of Policies.

Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.

Here is the Package and Umbrella,
and a copy of the most recent schedule.

KASSIE ROMANO,


The malicious payload is at [donotclick]ganiopatia.ru:8080/forum/links/column.php hosted on the following IPs:

202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
208.87.243.131 (Psychz Networks, US)

Note that ganalionomka.ru  is also on the same cluster of servers and will also be malicious. These IP addresses have been used for malware several times, blocking access to them would be a good idea.

Friday, 23 November 2012

"Changlog 10.2011" spam / efaxinok.ru

This spam leads to malware on efaxinok.ru:

Date:      Fri, 23 Nov 2012 10:14:22 +0600
From:      "Contact" [customer-notification@ups.com]
Subject:      Re: Changlog 10.2011
Attachments:     changelog-212.htm

Good morning,

as promised changelog (Internet Explorer File)
The victim is enticed to click on the attachment which leads to a malicious payload on [donotclick]efaxinok.ru:8080/forum/links/column.php hosted on the following IPs:

202.180.221.186
203.80.16.81
208.87.243.131
216.24.196.66

These are the same IPs as used in this attack yesterday, and it forms part of a long-running malcious spam run which appears to have been going on forever. Of note, there's a new domain in this cluster of delemiator.ru which I haven't seen yet being used in a malicious spam run, but it probably will be.

Thursday, 22 November 2012

Facebook spam / ceredinopl.ru

This fake Facebook (or is it Habbo?) spam leads to malware on ceredinopl.ru:

Date:      Thu, 22 Nov 2012 01:30:38 -0700
From:      Habbo Hotel [auto-contact@habbo.com]
Subject:      You have notifications pending

facebook
Hi,
Here's some activity you may have missed on Facebook.
REFUGIA MERRILL has posted statuses, photos and more on Facebook.
Go To Facebook
   
See All Notifications
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, please click: unsubscribe.

Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303
The malicious payload is at [donotclick]ceredinopl.ru:8080/forum/links/column.php hosted on the following IPs:

202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
208.87.243.131 (Psychz Networks, US)
216.24.196.66 (Psychz Networks, US)

The following IPs and domains are all connected:
202.180.221.186
203.80.16.81
208.87.243.131
216.24.196.66
ceredinopl.ru
investinindia.ru
hamasutra.ru
feronialopam.ru
monacofrm.ru
bamanaco.ru
ionalio.ru
investomanio.ru
veneziolo.ru
fanatiaono.ru
analunakis.ru

Tuesday, 20 November 2012

"Don't forget about meeting tomorrow" spam / hamasutra.ru

This spam leads to malware on hamasutra.ru:

From: Lula Stevens [mailto:JolieWright@shaw.ca]
Sent: 20 November 2012 05:57
Subject: Don't forget about meeting tomorrow

Don't forget this report for meeting tomorrow.
See attached file. (Internet Explorer file) 

In the sample I have seen, there is an attachment called Report.htm with some obfuscated javascript leading to a malicious payload at [donotclick]hamasutra.ru:8080/forum/links/column.php hosted on the following IPs:

82.165.193.26 (1&1, Germany)
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
216.24.196.66 (Psychz Networks, US)

Plain list:
82.165.193.26
202.180.221.186
203.80.16.81
216.24.196.66

Thursday, 15 November 2012

Changelog spam / feronialopam.ru

This fake "Changelog" spam leads to malware on feronialopam.ru:


Date:      Thu, 15 Nov 2012 10:43:59 +0300
From:      "Xanga" [noreply@xanga.com]
Subject:      Re: Changelog 2011 update
Attachments:     changelog-12.htm

Hello,



as promised chnglog attached (Internet Explorer File)

==========



Date:      Thu, 15 Nov 2012 05:43:09 -0500
From:      Chaz Shea via LinkedIn [member@linkedin.com]
Subject:      Re: Changelog as promised(updated)
Attachments:     Changelog-12.htm

Hello,



as prmised changelog is attached (Internet Explorer File)

The malicious payload is at [donotclick]feronialopam.ru:8080/forum/links/column.php hosted on a familiar looking bunch of IP addresses that you really should block:

120.138.20.54 (Sitehost, New Zealand)
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)

Tuesday, 13 November 2012

"End of Aug. Statmeent" spam / veneziolo.ru

The spam never stops, this malicious email leads to malware at veneziolo.ru:

Date:      Tue, 13 Nov 2012 12:27:15 -0500
From:      Mathilda Allen via LinkedIn [member@linkedin.com]
Subject:      Re: End of Aug. Statmeent required
Attachments:     Invoices12-2012.htm

Good morning,

as reqeusted I give you inovices issued to you per sept. (Internet Explorer format)

Regards
The malicious payload is at [donotclick]veneziolo.ru:8080/forum/links/column.php hosted on the same IPs seen earlier today, the following IPs and domains are all related:

41.168.5.140
62.76.46.195
62.76.178.233
62.76.186.190
62.76.188.246
65.99.223.24
84.22.100.108
85.143.166.170
87.120.41.155
91.194.122.8
103.6.238.9
120.138.20.54
132.248.49.112
202.180.221.186
203.80.16.81
207.126.57.208
209.51.221.247
213.251.171.30
216.24.194.66
canadianpanakota.ru
controlleramo.ru
denegnashete.ru
forumibiza.ru
kiladopje.ru
lemonadiom.ru
limonadiksec.ru
monacofrm.ru
moneymakergrow.ru
omahabeachs.ru
peneloipin.ru
rumyniaonline.ru
uzoshkins.ru
veneziolo.ru

"Your flight" spam / monacofrm.ru

These spam email messages lead to malware on monacofrm.ru:

From: sales1@victimdomain.com [mailto:sales1@victimdomain.com]
Sent: 13 November 2012 04:04
Subject: Fwd: Your Flight A874-64581

Dear Customer,

FLIGHT NR: 1173-8627
DATE/TIME : JAN 27, 2013, 19:15 PM
ARRIVING AIRPORT: SAN-DIEGO AIRPORT
PRICE : 520.40 USD

Your bought ticket is attached to the letter as a scan document .
To use your ticket you should print it.


NAOMI PATTON,

==========

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn
Sent: 13 November 2012 05:18
Subject: Re: Fwd: Your Flight A943-6733

Dear Customer,

FLIGHT NR: 360-6116
DATE/TIME : JAN 26, 2013, 14:12 PM
ARRIVING AIRPORT: SAN-DIEGO AIRPORT
PRICE : 997.25 USD

Your bought ticket is attached to the letter as a scan document .
To use your ticket you should print it.



Adon Walton,

==========

Date:      Tue, 13 Nov 2012 08:20:21 +0400
From:      accounting@victimdomain.com
Subject:      Re: Your Flight A230-63955
Attachments:     FLIGHT_TICKET_A04897499.htm

Dear Customer,



FLIGHT NR: 43070-0328

DATE/TIME : JAN 24, 2013, 12:19 PM

ARRIVING AIRPORT: SAN-DIEGO AIRPORT

PRICE : 323.97 USD



Your bought ticket is attached to the letter as a scan document .

To use your ticket you should print it.



SHERILYN BREWER,

==========

Date:      Tue, 13 Nov 2012 02:14:56 +0700
From:      LinkedIn Password [password@linkedin.com]
Subject:      Re: Your Flight A13-6235
Attachments:     FLIGHT_TICKET_A56970327.htm

Dear Customer,



FLIGHT NR: 7504-638

DATE/TIME : JAN 20, 2013, 18:10 PM

ARRIVING AIRPORT: SAN-DIEGO AIRPORT

PRICE : 089.74 USD



Your bought ticket is attached to the letter as a scan document .

To use your ticket you should print it.

ROSANA Gallo,

The malicious payload is at [donotclick]monacofrm.ru:8080/forum/links/column.php  hosted on the following IPs:

202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
216.24.194.66 (Psychz Networks, US)

The Mongolian and Malaysian IPs have been used several times for malware attacks, 216.24.194.66 looks like a new one. Blocking them all would probably be prudent.

Added:

There's a Wire Transfer spam using the same payload too:

From: Amazon.com [mailto:account-update@amazon.com]
Sent: 13 November 2012 08:08
Subject: Fwd: Re: Wire Transfer Confirmation

Dear Bank Account Operator,

WIRE TRANSFER: FED8979402863338715
CURRENT STATUS: PENDING

Please REVIEW YOUR TRANSACTION as soon as possible.

Friday, 9 November 2012

Changelog spam / canadianpanakota.ru

This spam leads to malware on canadianpanakota.ru:

Date:      Fri, 9 Nov 2012 11:55:11 +0530
From:      LinkedIn Password [password@linkedin.com]
Subject:      Re: Changlog 10.2011
Attachments:     changelog4-2012.htm

Hello,
as promised changelog,(Internet Explorer File)
The attachment leads to a malicious payload at [donotclick]canadianpanakota.ru:8080/forum/links/column.php  hosted on the following IPs:

120.138.20.54 (SiteHost, New Zealand)
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)


These IPs will probably be used in other attacks, blocking access to them now might be prudent. The following IPs and domains are all related:


120.138.20.54
202.180.221.186
203.80.16.81
canadianpanakota.ru
controlleramo.ru
donkihotik.ru
finitolaco.ru
fionadix.ru
forumibiza.ru
lemonadiom.ru
peneloipin.ru
moneymakergrow.ru


Thursday, 27 September 2012

Intuit spam / buycelluleans.com

This fake Intuit spam leads to malware on buycelluleans.com

From: Intuit PaymentNetwork [mailto:treacheriesz2@luther.k12.wi.us]
Sent: 27 September 2012 15:24
Subject: Your payroll verification is started by Intuit.


Direct Deposit Service System information
Request status

Dear [redacted]
We received your payroll on September 27, 2012 at 3:28 AM Pacific time.
•    Funds will be transitioned from the bank account number: 6 XXXXX1345 on September 28, 2012.
•    Amount to be withdrawn: $1,107.47
•    Paychecks would be transferred to your employees' accounts on: September 28, 2012
•    Please take a look at your payroll here.
Funds are typically withdrawn before normal bank working hours so please make sure you have sufficient funds available by 12 a.m. Pacific time on the date funds are to be processed.
Intuit must obtain your payroll by 5 p.m. Pacific time, two banking days before your payment date or your personnel payment will be aborted. QuickBooks doesn't proceed payrolls on weekends and federal banking legal holidays. A list of federal banking off-days can be accessed at the Federal Reserve holyday schedule}.
Thank you for your business.
Sincerely,
Intuit Services
NOTICE: This information was sent to inform you of a some actions at your account or software. Please mind that if you confirmed option of receiving informative materials from Intuit QuickBooks you may continue to receive informational materials similar to this message that affect your service or software.
If you have any questions or comments about this email please DO NOT REPLY to this message. If you need further information please contact us.
If you receive an message that appears to come from Intuit but that you suspect is a scam email, submit it on a link below customer feedback .
Copyright 2008-2012 Intuit Inc. QuickBooks and Intuit are registered of or registered service marks of Intuit Inc. in the US and other countries. This email message is not intended to supplement, modify or extend the Intuit software license agreement between you and Intuit for any Intuit product or service.
Intuit Inc. Customer Information Services
2816 A. Commerce Center Place, Tucson, AZ 84516

The malicious payload is at [donotclick]buycelluleans.com/detects/groups_him.php (report here) hosted on 203.91.113.6 (G Mobile, Mongolia). This IP address has been used several times for malware distribution and should be blocked if you can.

Wednesday, 26 September 2012

IRS spam / 1.howtobecomeabostonian.com and mortal-records.net

Three different versions of fake IRS spam today, two leading to malware on 1.howtobecomeabostonian.com and the other with a malicious payload on mortal-records.net.


Date:      Wed, 26 Sep 2012 20:44:47 +0530
From:      "Internal Revenue Service (IRS)" [58D1F47@guyzzer.com]
To:      [redacted]
Subject:      Internal Revenue Service: For the attention of enterpreneurs

Internal Revenue Service (IRS)

Hello,

Due to the system error the EIN of your company has been accidently erased from the online database, please validate your EIN to reaffirm your current status of taxpayer. Certain indulgences will be applied to the next audit report for your company. IRS is sorry to cause inconvenience.





For detail information, please refer to:

https://www.irs.gov/Login.aspx?u=E8710D9E9

    Email address: [redacted]

Sincerely yours,

Barry Griffin

IRS Customer Service representative

Update your subscriptions, modify your password or email address, or stop subscriptions at any time on your Subscriber Preferences Page.

You will need to use your email address to log in.

This service is provided to you at no charge by the Internal Revenue Service (IRS).
This email was sent to [redacted] by: Internal Revenue Service (IRS) � Internal Revenue Service � 1111 Constitution Ave. N.W. � Washington DC 20535

==========


Date:      Wed, 26 Sep 2012 11:09:45 -0400
From:      "Internal Revenue Service (IRS)" [90A75BC@etherplay.com]
To:      [redacted]
Subject:      Internal Revenue Service: For the attention of enterpreneurs

Internal Revenue Service (IRS)

Dear business owners,

Due to the corrections in the taxation policies that have been recently applied, IRS informs that LLC, C-Corporations and S-Corporations have to validate their EIN in order to reaffirm their actual status. You have 14-day period in order to examine all the changes and make necessary amendments. We are sorry for the inconvenience caused.



For the details please refer to:

https://www.irs.gov/ClientArea.aspx?u=1CBD0FC829256C

    Email address: [redacted]

Sincerely yours,

Damon Abbott

Internal Revenue Service Representative

Update your subscriptions, modify your password or email address, or stop subscriptions at any time on your Subscriber Preferences Page.

You will need to use your email address to log in.

This service is provided to you at no charge by the Internal Revenue Service (IRS).
This email was sent to [redacted] by: Internal Revenue Service (IRS) � Internal Revenue Service � 1111 Constitution Ave. N.W. � Washington DC 20535


==========

Date:      Wed, 26 Sep 2012 19:53:28 +0400
From:      Internal Revenue Service [weirdpr6@polysto.com]
To:      [[redacted]]
Subject:      IRS report of not approved tax bank transfer

Your Federal Tax pending transaction (ID: 52007291963155), recently ordered for processing from your checking account was rejected by your Bank.

Rejected Tax transaction
Tax Transaction ID:     52007291963155
Reason ID     See details in the report below
State Tax Transaction Report     tax_report_52007291963155.doc (Microsoft Word Document)

Internal Revenue Service 9611 Tellus. Av. Augusta 38209 MV  

Payload one is at [donotclick]1.howtobecomeabostonian.com/links/marked-alter.php hosted on 74.207.232.13 (Linode, US) which looks like a hacked GoDaddy domain. Payload two is at [donotclick]mortal-records.net/detects/processing-successfully.php hosted on 203.91.113.6 (G-Mobile, Mongolia) which is an IP address that has been used a LOT for this type of attack. Blocking those IPs would be ideal.

These other bad domains are associated with the Mongolian IP address:
allmn-leicncester.net
amsnxn.com
bowerystore.net
cahgmt.com
cahmncm.com
casxmn.com
catmngn.com
chgmnm.com
myinfn.com
nitor-solutions.net
ntanwolb.com
penel-opessong.com
sncahmn.com
stafffire.net

Monday, 24 September 2012

Amazon.com spam / pallada-cruise.net

This fake Amazon spam leads to malware on pallada-cruise.net:

From:     Belinda Gallagher vigilancejy586@williamsguitarcompany.com
To:     [redacted]
Date:     24 September 2012 18:44
Subject:     Your Order Shipped Now

Amazon    
Your Orders &nbsp| Your Account | Amazon.com
Order Confirmation
Order #002-3989927-06014360

Greetings [redacted],

Thank you for shopping with us. Wethought you'd like to know that our shop shipped your item, and that this completes your order.. If you need to return an good from this shipment or manage other orders, please visit Your Orders on Amazon.com.
Your estimated delivery date is:

Friday, September 21, 2012

Why tracking information may not be available?
    Your order was shipped to:

[redacted]
006 S Academy St, App. 1D
S Paolo, DC
United States

This shipment have no an associated delivery tracking No..

Shipment Details
   

LG 42LW5302, SV 46-Inch 720p 120 Hz Cinema 3D LCD HDTV with 3D Blu-ray Player and Four Pairs of 3D Glasses
Sold by onner
Condition: not-used before
    $612.35
Item Subtotal:     $612.35
Shipping & Handling:     $20.43
Total Before Tax:     $612.35
Shipment Total:     $612.35
Paid by MC:     $612.35

Returns are easy. Visit our ON-line Return Center.
If you need further assistance with your order, please visit Merchant Contact Form.

We hope to see you again soon!
Amazon.com

Unless otherwise noted, items are sold by Amazon LLC. Learn more about tax and item provider information.

This email was sent from a notification-only address that cannot accept incoming email. Please don't reply to this message.

The malicious payload (probably a Blackhole 2 exploit kit) is at [donotclick]pallada-cruise.net/detects/plain-keyboard_beginning-monitor.php hosted on 203.91.113.6 (G Mobile, Mongolia), an IP address that has been very active in spreading badness and which you should block if you can.

Thursday, 20 September 2012

Amazon.com spam / webgrafismo.net and 203.91.113.6


This fake Amazon.com spam leads to malware on webgrafismo.net:


Date:      Fri, 21 Sep 2012 03:44:47 +0800
From:      "Adolfo Bruno" [debitst54@uky.edu]
Subject:      Your HD TV Delivered Yesterday

  
Your Orders | Your Account | Amazon.com
Shipping Confirmation
Order #002-9587043-55406590

Greetings [redacted],

Thank you for shopping with us. Wethought you'd like to know that amazon shipped your item, and that this completes your order.. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.
Your estimated shipment delivery date is:

Friday, September 21, 2012

Why tracking information may be unavailable?
    Your order was sent to:

[redacted]
572 9th Ave, App. 2D
S Paolo, TX
United States

This shipment does not have an associated delivery tracking No..

Conveyance Data
  

Sharp XVT3D32, SV 46-Inch 1080p 1000 Hz Cinema 3D LED-LCD HDTV with 3D Blu-ray Player and Two Pairs of 3D Glasses
Sold by secondipity
Condition: used - acceptable
    $740.43
Item Subtotal:     $740.43
Shipping & Handling:     $22.40
Total Before Tax:     $740.43
Shipment Total:     $740.43
Paid by Maestro:     $740.43

Returns are easy. Visit our ON-line Return Center.
If you need urgent assistance with your order, please visit Merchant Contact Form.

We hope to see you again soon!
Amazon.com

Unless otherwise noted, items are sold by Amazon LLC. Learn more about tax and seller information.

This email was sent from a notification-only address that cannot accept incoming email. Please don't reply to this message.

==========

Date:      Thu, 20 Sep 2012 20:51:04 +0100
From:      "Ned@mc2school.org" [Ned@ataonline.com.tr]
Subject:      Re: HDTV Shipped Yesterday

Your Orders | Your Account | Amazon.com                                          
Order Processing Confirmation                                          
Order #002-1662198-01565354                                                                      
Greetings [redacted],

Thank you for shopping with us. Wethought you'd like to know that amazon shipped your item, and that this completes your order.. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.
Your estimated  shipment date is:

Friday, September 21, 2012

Why tracking information may  be not available?
        Your order  was delivered to:

[redacted]
148 S Academy Dr, App. 1D
Albuquerque, KY
United States

This shipment does not have an associated delivery  tracking number.                          

Order                                   

Sony  XVT3D15, SV 42-Inch 1080p 600 Hz Cinema 3D  LCD HDTV  with 3D Blu-ray Player and  Two Pairs of 3D Glasses
Sold by  onner
Condition:  used-new
        $594.65
Item Subtotal: $594.65
Shipping & Handling:   $22.34
Total Before Tax:      $594.65
Shipment Total:        $594.65                                            
Paid by  Discover:     $594.65                                                          
Returns are easy. Visit our ON-line Return Center.
If you need  urgent assistance with your order, please visit Merchant Contact Form.

We hope to see you again soon!
Amazon.com

Unless otherwise noted, items are sold by Amazon LLC. Learn more about tax and shop information.

This email was sent from a notification-only address that cannot accept incoming email. Please don't reply to this message.                     
                                                                                         
The malicious payload is at [donotclick]webgrafismo.net/detects/rates-event_convinced-sent.php hosted on a known bad IP address of 203.91.113.6 (G Mobile, Mongolia). The exploit kit is probably Blackhole 2 given it's characteristics.



If you can block this IP address then I strong advise it. Other malicious sites on the same IP include.

penel-opessong.com
sncahmn.com
xlzones.com
virtual-geocaching.net
afgreenwich.net
cedarbuiltok.net
sowendo.net
thebummwrap.net
allmn-leicncester.net
bode-sales.net
webgrafismo.net

Tuesday, 18 September 2012

IRS spam / xlzones.com

More IRS themed spam, this time leading to malware on xlzones.com:

From: Internal Revenue Service [mailto:papillaq9@wonderware.com]
Sent: 18 September 2012 15:22
Subject: Your IRS federal tax payment has not been accepted
Importance: High


Your Federal Tax transaction (ID: 1550573369185), recently sent from your bank account was returned by The Electronic Federal Tax Payment System.
Not Accepted Tax transfer
Tax Transaction ID:     1550573369185
Reason ID    See details in the report below
Income Tax Transaction Report    tax_report_1550573369185.doc (Microsoft Word Document)

Internal Revenue Service P.O. Box 996 Davis 99627 NY 

The malicious payload can be found at [donotclick]xlzones.com/detects/char-storing-hate.php and [donotclick]xlzones.com/maintain/java.jar (report here) hosted on the familiar IP address of 203.91.113.6 (G Mobile, Mongolia). Block this IP if you can.. also beware of these other malicious domains on the same server:
centennialfield.net
blue-lotusgrove.net
virtual-geocaching.net
afgreenwich.net
cedarbuiltok.net
thebummwrap.net
bode-sales.net
cat-mails.net
xlzones.com

Monday, 17 September 2012

IRS Spam / virtual-geocaching.net

This spam leads to malware on virtual-geocaching.net:

Date:      Mon, 17 Sep 2012 11:28:14 -0600
From:      Internal Revenue Service [tangierss4@porterorlin.com]
Subject:      IRS report of not approved tax transfer

Your State Tax transfer (ID: 30062091798009), recently sent from your checking account was returned by Internal Revenue Service payment processing unit.

Not Accepted Tax transaction
Tax Transaction ID:     30062091798009
Reason of rejection     See details in the report below
Federal Tax Transaction Report     tax_report_30062091798009.doc (Microsoft Word Document)

Internal Revenue Service 3192 Aliquam Rd. Davis 71320 VA 
The malicious payload is at [donotclick]virtual-geocaching.net/main.php?page=7de3f5c4200c896e (report here) on 203.91.113.6 (G Mobile, Mongolia) as used in this recent attack and several others.

IRS spam / thebummwrap.net

This fake IRS spam leads to malware on thebummwrap.net:

From: Internal Revenue Service [mailto:fascinatesh07@deltamar.net]
Sent: 17 September 2012 15:30
Subject: Your federal tax transaction has been not accepted


Your State Tax transaction (ID: 60498447771657), recently initiated from your bank account was canceled by The Electronic Federal Tax Payment System.
Not Accepted Tax transaction
Tax Transaction ID:     60498447771657
Rejection code    See details in the report below
Income Tax Transaction Report    tax_report_60498447771657.doc (Microsoft Word Document)

Internal Revenue Service Ap #822-9450 Cum Avenue Edmond 33020 MI


The malicious payload is at [donotclick]thebummwrap.net/main.php?page=7de3f5c4200c896e hosted on 203.91.113.6 (G Mobile Mongolia) which has been used several times recently for evil purposes.

At the moment, the following sites seem to be active on the server, all can be assumed to be malicious.

thebummwrap.net
centennialfield.net
blue-lotusgrove.net
afgreenwich.net
bode-sales.net
cat-mails.net
nitor-solutions.net

Tuesday, 11 September 2012

US Airways spam / blue-lotusgrove.net

A couple of samples of a fake US Airways spam email leading to malware on blue-lotusgrove.net:


Date:      Tue, 11 Sep 2012 15:32:42 -0300
From:      "US Airways - Reservations" [reservations@myusairways.com]
Subject:      Please confirm your US Airways online registration.
   
You can check in from 24 hours and up to 60 minutes before your flight (2 hours if you're flying internationally). Then, all you need to do is print your boarding pass and proceed to the gate.

Confirmation code: 592499

Check-in online: Online reservation details

Flight

6840    
Departure city and time

Washington, DC (DCA) 10:00PM

Depart date: 9/12/2012    

We are committed to protecting your privacy. Your information is kept private and confidential. For information about our privacy policy visit usairways.com.

US Airways, 111 W. Rio Salado Pkwy, Tempe, AZ 85281 , Copyright US Airways , All rights reserved.

==========


Date:      Tue, 11 Sep 2012 23:29:14 +0700
From:      "US Airways - Reservations" [intuitpayroll@e.payroll.intuit.com]
Subject:      US Airways online check-in.

you {l2} check in from 24 hours and up to 60 minutes before your flight (2 hours if you're flying {l3}). {l4}, all you {l5} to do is print your boarding pass and {l6} to the gate.

confirmation code: {digit}

check-in online: online reservation details

flight

{digit}    
departure city and time

washington, dc (dca) 10:00pm

depart date: 9/12/2012    


we are committed to protecting your privacy. your information is kept private and confidential. for information about our privacy policy visit usairways.com.

us airways, 111 w. rio salado pkwy, tempe, az 85281 , copyright us airways , all rights reserved.

The malicious payload is at [donotclick]blue-lotusgrove.net/main.php?page=559e008e5ed98bf7 (report here) hosted on 203.91.113.6 (G Mobile, Mongolia), the same IP used in this attack. The following domains are on the same server, they can all be considered to be malicious:


padded.pl
spiki.pl
fruno.pl
nextbox.pl
omariosca.com
hemiga.com
decorera.com
seneesamj.com
unitmusiceditior.com
likenstendarts.com
flatbuzz.com
morepic.net
dushare.net
blue-lotusgrove.net
nitor-solutions.net
gsigallery.net
atfood.ru
indyware.ru
advia.kz
iowa.kz
autumn.kz
wet.kz

Friday, 7 September 2012

FedEx spam / dushare.net and gsigallery.net

Two fake FedEx campaigns today, with a format similar to the one found here but with different payload sites of dushare.net and gsigallery.net

In the first case, the malicious payload is at [donotclick]dushare.net/main.php?page=c82ec1c8d6998cf0 (report here) hosted on 203.91.113.6 (G Mobile, Mongolia). In the second case the payload is at [donotclick]gsigallery.net/main.php?page=2bfd5695763b6536 (report here) also hosted on 203.91.113.6.

The following domains are on the same server and should also be treated as being suspect.

padded.pl
spiki.pl
fruno.pl
nextbox.pl
omariosca.com
hemiga.com
decorera.com
seneesamj.com
obweesysho.com
unitmusiceditior.com
likenstendarts.com
flatbuzz.com
morepic.net
atfood.ru
indyware.ru
advia.kz
iowa.kz
autumn.kz
wet.kz
dushare.net
gsigallery.net